CVE-2021-21826

Name of the Vulnerable Software and Affected Versions AT&T Labs Xmill version 0.7

Description A heap-based buffer overflow issue exists in the XML Decompression DecodeTreeBlock functionality. Within DecodeTreeBlock, which is called during the decompression of an XMI file, a UINT32 is loaded from the file and used as trusted input as the length of a buffer. An attacker can provide a malicious file to trigger this issue, potentially allowing a remote attacker to execute arbitrary code.

Recommendations For AT&T Labs Xmill version 0.7, as a temporary workaround, consider disabling the DecodeTreeBlock function until a patch is available. Restrict access to the XML decompression functionality to minimize the risk of exploitation. Avoid using untrusted input files for decompression until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.